CVE-2021-40651
published 2021-09-29CVE-2021-40651: OS4Ed OpenSIS Community 8.0 is vulnerable to a local file inclusion vulnerability in Modules.php (modname parameter), which can disclose arbitrary file from…
PriorityP354medium6.5CVSS 3.1
AVNACLPRLUINSUCHINAN
EXPLOIT
EPSS
18.41%
96.9th percentile
OS4Ed OpenSIS Community 8.0 is vulnerable to a local file inclusion vulnerability in Modules.php (modname parameter), which can disclose arbitrary file from the server's filesystem as long as the application has access to the file.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| os4ed | opensis | — | — |
Detection & IOCsextracted from sources · hover to see the quote
url/Modules.php?modname=miscellaneous%2fPortal.php..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc%2fpasswd&failed_login=↗
sigma↗
regex('root:.*:0:0:', body)- →Look for path traversal sequences ('%2f..%2f' or '/../') in the 'modname' GET parameter of requests to Modules.php, particularly targeting sensitive files such as /etc/passwd. ↗
- →Exploitation requires prior authentication as the 'Parent' user role. Monitor for login attempts to /index.php followed immediately by traversal requests to /Modules.php. ↗
- →Use Shodan/FOFA queries to identify exposed OpenSIS instances: Shodan 'title:"openSIS"' or FOFA 'title="opensis"', then probe for the LFI pattern in Modules.php. ↗
- →A successful exploitation response will contain the string matching 'root:.*:0:0:' in the HTTP response body, indicating /etc/passwd file disclosure. ↗
- ·Exploitation requires an authenticated session as the 'Parent' user role; unauthenticated exploitation is not possible. ↗
- ·The LFI is limited to files readable by the web application process; files with restricted OS permissions cannot be disclosed. ↗
- ·The vulnerability was tested on both Windows and Linux platforms, so traversal payloads and target file paths may differ per OS. ↗
CVSS provenance
nvdv3.16.5MEDIUMCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
nvdv2.04.0MEDIUMAV:N/AC:L/Au:S/C:P/I:N/A:N
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
OpenSIS 8.0 'modname' - Directory Traversal
exploitdb·2021-09-03·CVSS 6.5
CVE-2021-40651 [MEDIUM] OpenSIS 8.0 'modname' - Directory Traversal
OpenSIS 8.0 'modname' - Directory Traversal
---
# Exploit Title: OpenSIS 8.0 'modname' - Directory/Path Traversal
# Date: 09-02-2021
# Exploit Author: Eric Salario
# Vendor Homepage: http://www.os4ed.com/
# Software Link: https://opensis.com/download
# Version: 8.0
# Tested on: Windows, Linux
# CVE: CVE-2021-40651
The 'modname' parameter in the 'Modules.php' is vulnerable to local file inclusion vulnerability. This vulnerability can be exploited to expose sensitive information from arbitrary files in the underlying system.
To exploit the vulnerability, someone must login as the "Parent" user, navigate to http://localhost/Modules.php?modname=miscellaneous%2fPortal.php. The 'modname' parameter and requests the Portal.php's contents. By going back a few directory using '..%2f' decoded as
Nuclei
OS4Ed OpenSIS Community 8.0 - Local File Inclusion
nuclei·CVSS 6.5
CVE-2021-40651 [MEDIUM] OS4Ed OpenSIS Community 8.0 - Local File Inclusion
OS4Ed OpenSIS Community 8.0 - Local File Inclusion
OS4Ed OpenSIS Community 8.0 is vulnerable to a local file inclusion vulnerability in Modules.php (modname parameter), which can disclose arbitrary file from the server's filesystem as long as the application has access to the file.
Template:
id: CVE-2021-40651
info:
name: OS4Ed OpenSIS Community 8.0 - Local File Inclusion
author: ctflearner
severity: medium
description: |
OS4Ed OpenSIS Community 8.0 is vulnerable to a local file inclusion vulnerability in Modules.php (modname parameter), which can disclose arbitrary file from the server's filesystem as long as the application has access to the file.
impact: |
Authenticated attackers can read arbitrary files from the server including /etc/passwd via path traversal in the modname paramet
No writeups or analysis indexed.
https://github.com/MiSERYYYYY/Vulnerability-Reports-and-Disclosures/blob/main/OpenSIS-Community-8.0.mdhttps://www.exploit-db.com/exploits/50259https://youtu.be/wFwlbXANRCohttps://github.com/MiSERYYYYY/Vulnerability-Reports-and-Disclosures/blob/main/OpenSIS-Community-8.0.mdhttps://www.exploit-db.com/exploits/50259https://youtu.be/wFwlbXANRCo
2021-09-29
Published